Use It Or Lose It

Paul Whytock | Feb 20, 2008

Some recent discussions on data security, or more accurately the lack of security, have piqued my curiosity. My interest was prompted by a couple of things. First, there was the totally irresponsible loss of 25 million UK citizens’ personal details by a UK government department. Second, there’s the risk people are taking using the mega-fashionable social-networking sites like MySpace and Facebook.

Cyber thieves must be rubbing their hands with glee at the potential Internet crimes they can perpetrate thanks to data-protection inefficiencies of organisations—data that should be bulletproof against any threat. Indeed, 2008 has been tagged as the year that cyber crime will escalate in the extreme. In fact, many examples of viruses have already emerged, viruses that probe social-networking sites for people’s details.

What about encryption in all of this? Foremost, it should be mandatory that organisations responsible for private data use modern encryption technology. It’s unbelievable that the UK government department I previously mentioned actually mailed the data of 25 million people on two unencrypted CDs in the regular postal system—and they got lost!

It is fair to say that modern encryption methods work fairly well. However, it’s crucial that they remain in a constant state of development to keep ahead of the cyber thieves.

Thirty years ago, IBM unveiled the DES encryption standard. DES is public key cryptography (PKC) that relies on the use of two keys, a Public key and a Private key. Data encrypted with the Public key can only be decrypted by the holder of the Private key. A commonly employed example of a PKC system is the Secure Sockets Layer (SSL) protocol, which ensures that payment transactions on the Internet are secure.

So far so good, except that some code experts are starting to consider that DES is no longer as secure as it needs to be. This is because of its short key length of 56bits. The more bits used in the key, the harder it is for cyber thieves to decrypt the data. Consequently, DES is being replaced by more modern encryption standards, such as Triple DES and the Advanced Encryption Standard, which uses key lengths of 128, 192 and 256bits.

Generally speaking, encryption technology is capable of protecting a good portion of data. So my advice for organisations, including government departments, is simply “use it or lose it.”